So we have a situation where there would be 2 fortigates, normally fortigates would use wan ips for the site to site connection, is it possible to use private ips if there is say a Comcast layer 3 direct connection between the 2? Or public ips are needed for site to site(where default gateway on each fortigate on each side would be pointed to a router connected to the edge on each side)?
What would the default gateway be on each side though? Do you need a router for that and therefore a direct firewall to firewall connection wouldn’t work because you need routers for default gateways?
Again I would assume this logic would apply for any firewall and not just fortigates.
Forget the vpn for a minute. When comcast hands off a point to point circuit, it will likely be layer-2 and it will be up to you to configure a device with an IP on each end. You can use your firewalls for this.
So pick any private IP subnet you like, for example
Firewall WAN2 interface at site 1.
10.10.10.1 255.255.255.252.
Firewall WAN2 interface at site 2.
10.10.10.2 255.255.255.252.
Add static routes to both firewalls to use the comcast connection to reach subnets at the other site.
Create firewall policies to allow the traffic.
At this point you have site to site connectivity.
For some reason you want a VPN too, that’s fine because you can now build an IPSec tunnel between the two firewalls using those Private IP addresses you assigned above. Just remember to change your firewall policies and those static routes to use the tunnel you create on top of this connection.
You can do it with private IPs they dont really care.
The default gateway doesn’t really come into this problem though because if you are connecting the private ips together they just need to be able to route to each other or be in the same subnet unless they will have an internet connection attached to them aswell.
So say Comcast provides a layer 2 connection between the 2 fortigates site to site is possible right? But it needs to be layer 3 connection right in order to use ips?
Then I would assign the private IP addresses to the firewall interfaces. Create a firewall policy to allow them to ping each other so you can verify connectivity. Then build the VPN between the two firewalls using those private IPs.
in effect they are providing a wire between the fortis from their point of view so if you wanted them to be on either end of the “wire” you would give them both IP addresses on the same network, probably use a /31 unless you are running them in a HA mode then you’ll site it to meet them requirements.
Comcast is basically providing you an Ethernet cable point to point… You need a /30 on this link (you make up the IP address)… then setup routing, and then you can setup a VPN on top of this if you want to encrypt it.